Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

74 matches found

Nuclei
Nucleiadded 17 hours ago21 views

esm.sh <= v136 - Local File Inclusion

esm.sh = 136 contains a local file inclusion caused by improper URL handling, letting attackers read arbitrary files from the host filesystem remotely, exploit requires crafted request. id: CVE-2025-59341 info: name: esm.sh = v136 - Local File Inclusion author: 0xAkoko severity: high description:...

8.7CVSS7.8AI score0.00901EPSS
Exploits0References3
Nuclei
Nucleiadded 17 hours ago8 views

esm.sh <= v136 - Arbitrary File Write via Path Traversal

esm.sh = 136 contains a path traversal caused by improper canonicalization of the X-Zone-Id HTTP header, letting attackers write files outside the intended storage directory, exploit requires crafted header input. id: CVE-2025-59342 info: name: esm.sh = v136 - Arbitrary File Write via Path...

6.9CVSS7.7AI score0.06448EPSS
Exploits2References3
RedhatCVE
RedhatCVEadded yesterday2 views

CVE-2026-44594

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

7.5CVSS5.6AI score0.00057EPSS
Exploits0References1
RedhatCVE
RedhatCVEadded 4 days ago8 views

CVE-2026-44593

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components...

8.7CVSS5.9AI score0.00082EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/05/28 2:45 p.m.25 views

CVE-2026-44594 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

7.5CVSS0.00057EPSS
Exploits0References1
ATTACKERKB
ATTACKERKBadded 2026/05/28 2:45 p.m.5 views

CVE-2026-44594

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

7.5CVSS6AI score0.00057EPSS
Exploits0References2Affected Software1
CVE
CVEadded 2026/05/28 2:45 p.m.9 views

CVE-2026-44594

CVE-2026-44594 describes a Local File Inclusion (LFI) in esm.sh’s esbuild plugin handling of the browser field in package.json. The vulnerability allows an attacker to publish a crafted npm package that, during the build, causes the server to read and return arbitrary files from the host filesyst...

7.5CVSS6AI score0.00057EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 2026/05/28 2:45 p.m.7 views

CVE-2026-44594 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

7.5CVSS6AI score0.00057EPSS
Exploits0References1
EUVD
EUVDadded 2026/05/28 2:45 p.m.6 views

EUVD-2026-32911

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

7.5CVSS6AI score0.00057EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/05/28 2:44 p.m.24 views

CVE-2026-44593 esm.sh: Legacy Route Path Traversal Can Lead to RCE

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components...

8.7CVSS0.00082EPSS
Exploits0References1
CVE
CVEadded 2026/05/28 2:44 p.m.8 views

CVE-2026-44593

esm.sh (no-build CDN) vulnerable to path traversal in legacy_router.go. In versions up to 137, the router concatenates request path components without sanitization, generating a storage key that can resolve to arbitrary filesystem paths (example: writing to /tmp/pwned). This allows an attacker to...

8.7CVSS5.9AI score0.00082EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 2026/05/28 2:44 p.m.4 views

CVE-2026-44593 esm.sh: Legacy Route Path Traversal Can Lead to RCE

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components...

8.7CVSS5.9AI score0.00082EPSS
Exploits0References1
CNNVD
CNNVDadded 2026/05/28 12:0 a.m.5 views

esm.sh 路径遍历漏洞

esm.sh is an open-source content distribution network developed by esm.sh. Versions of esm.sh 137 and earlier contained a path traversal vulnerability. This vulnerability stemmed from the fact that older routers did not clean up path components during the concatenation process, allowing attackers...

8.7CVSS5.8AI score0.00082EPSS
Exploits0References1
CNNVD
CNNVDadded 2026/05/28 12:0 a.m.5 views

esm.sh 安全漏洞

esm.sh is an open-source content distribution network developed by esm.sh. Versions of esm.sh 137 and earlier contained a security vulnerability. This vulnerability stemmed from the esbuild plugin’s handling of the browser field in package.json, which allowed attackers to publish npm packages,...

7.5CVSS5.8AI score0.00057EPSS
Exploits0References1
Veracode
Veracodeadded 2026/05/16 5:32 a.m.9 views

Server-Side Request Forgery

esm.sh is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation in the /https fetch route, where localhost and internal network protections rely on hostname string checks that can be bypassed using DNS alias domains, allowing attackers to induce...

8.6CVSS7.2AI score0.00064EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blogadded 2026/05/12 10:22 p.m.4 views

esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

Summary A Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. Details The vulnerable...

7.5CVSS6AI score0.00057EPSS
Exploits0References3Affected Software1
Circl
Circladded 2026/05/08 10:6 a.m.3 views

CVE-2026-44594

creationtimestamp| type| source ---|---|--- 2026-05-08 10:06:38+00:00| published-proof-of-concept| https://github.com/esm-dev/esm.sh/security/advisories/GHSA-rg65-45m7-hq57 2026-05-28 17:03:05+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mmwitspraf2t 2026-05-28...

7.5CVSS5.8AI score0.00057EPSS
Exploits0References3
SUSE CVE
SUSE CVEadded 2026/03/25 12:27 a.m.3 views

SUSE CVE-2026-27730

esm.sh is a no-build content delivery network CDN for web development. Versions up to and including 137 have an SSRF vulnerability CWE-918 in esm.sh's /https fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypass...

8.6CVSS7.2AI score0.00064EPSS
Exploits1References3
SUSE CVE
SUSE CVEadded 2026/03/05 6:56 a.m.3 views

SUSE CVE-2025-50180

esm.sh is a no-build content delivery network CDN for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability...

8.7CVSS5.8AI score0.00065EPSS
Exploits1References3
RedhatCVE
RedhatCVEadded 2026/02/26 10:35 p.m.4 views

CVE-2025-50180

esm.sh is a no-build content delivery network CDN for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability...

8.7CVSS5.4AI score0.00065EPSS
Exploits1References1
Rows per page
Query Builder